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ABSTRACT 


In the healthcare field, preserving privacy of the patient’s electronic health records has been an elementary 
issue. Numerous techniques have been emerged to maintain privacy of the susceptible information. Whereas 
acting as a first line of defense against illegal access, traditional access control schemes fall short of 
defending against misbehavior of the already genuine and authoritative users; a risk that can harbour 
overwhelming consequences upon probable data release or leak. This paper introduces a novel risk reduction 
strategy for the healthcare domain, so that, the risk related with an access request is evaluated against the 
privacy preferences of the patient who is undergoing for the medical procedure. The proposed strategy 
decides the set of data objects that can be safely uncovered to the healthcare service provider such that 
unreasonably repeated tests and measures can be avoided and the privacy preferences of the patient are 
preserved. 
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I. INTRODUCTION 

The electronic health records (EHR) [ 1, 2] of the 
patients include detailed information concerning 
their health issues and medical history in the 
healthcare field. The records comprise susceptible 
data, such as previously diagnosed health diseases 
and drug maltreatment, of which the patient 
would prefer to keep confidential. Distribution of 
such data, whether persistently or unintentionally, 
could invite grave harmful implications for the 
corresponding patient. Adverse consequences 
could range from social disgrace, complications in 
getting employment or health insurance policies 
and so forth [3]. In attempts to bring patients more 


restraint over their EHRs, legislations such as the 
Health Insurance Probability and Accountability 
Act (HIPAA) has been developed. Therefore, the 
privacy of such records must be protected and, 
hence, has been under intensive research analysis 
[5-8]. 

When the privacy of the medical records is being 
preserved, numerous techniques can be utilized. 
Normally, as shown in Figure 1, privacy can be 
managed by using cryptography, anonymization, 
or policy methods [9]. Anonymization techniques 
contain, utilizing statistical measures to conceal 
the identity of the patient amongst other patients 
before the data is uncovered to the data requestors 
and is generally used for discharging huge 
quantities of medical data for analytical purposes 
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[10, 11]. Cryptography techniques exertion by 
utilizing security measures such as encryption 
mechanisms to protect the susceptible records [12, 
13]. Finally, policy methods preserve the patient’s 
privacy by employing rules and constraints for 
authenticating and authorizing access to the 
private data [14, 15]. As a result, preserving privacy 
of a scrupulous patient, who is currently 
undergoing a medical diagnosis or procedure, 
cannot be realized through means of 
anonymization methods because identity is lost 
among multiple datasets. Therefore, the feasible 
solution, in such circumstances, requires utilizing 
cryptography or policy methods or even a 
combination of the two [9]. 



Figure 1. Different Privacy Preserving approaches 


Access control technique is one of the major 
processes for preserving privacy of the medical 
records. This technique is elementary security 
mechanism that works by assessing an access 
request against a set of constraints and rules 
before finally granting or denying such access to 
system resources [12]. Several types of access 
control exist in the literature with different 
features: Mandatory Access Control (MAC) [12], 
Role Based Access Control (RBAC) [15-19], 
Attribute Based Access Control (ABAC) [20] and so 
on. 

While access control can act as a first line of 
defence against illegal access by denying such 
access request, it is unable to defend against 
misuse of system resources by users who have 
been granted access [21]. In the medical scenario, 
healthcare professionals can abuse their access 
rights with regards to patients’ private health 
records; which could increase the risk of potential 
leakage of the sensitive information. In the United 
States, the Department of Health and Human 
Services has conducted an investigation with 
regards to patients’ electronic health records in 
UCLA (University of California, Los Angeles) 
hospital and found that they have been excessively 
viewed by medical staff without a valid reason [22]. 


In order to overcome the potential misuse of 
already authorized users, access control schemes 
can be amplified with risk assessment measures. 
One important measure is calculating the 
reliability of an access appellant. Reliability can be 
determined by several means. One way of 
calculating trust is by analyzing the user’s past 
behaviour towards a system resource in order to 
grant or deny future access demand [23]. In effect, 
the access control scheme becomes more 
adaptable and dynamic in responding to access 
requests due to the variability of the trust level of 
the access requestor, as opposed to traditional 
access control schemes [21, 24]. 

When Risk assessment measures are 
incorporated with access control techniques, a 
risky access demand can be allowed, rather than 
be denied, if it is within the tolerable thresholds. 
However, risk reduction strategies must be applied 
to lower the risk associated with such an access 
[25, 26]. Risk reduction techniques are obligatory 
actions [27, 28] that are performed to minimize the 
risk of access request such as increasing the 
security measures, performing anonymization to 
the datasets or employing system alerts and 
notifications [29]. 

This research tackles the issue of preserving 
privacy of the patient’s EHR by incorporating a risk 
assessment element. More specifically, a risk 
reduction technique is proposed to lower the risk 
associated with an access request initiated by a 
healthcare professional to a particular patient’s 
health record. That is, when a risky access request 
is made, the proposed technique will expose the 
patient’s relevant and less sensitive data. 
Therefore, the risk reduction strategy is risk-aware 
and privacy preserving in addition to being HIPAA 
compliant. 

This paper is intended as follows: section two 
shows the background information that act as the 
foundation of the research. Section three presents 
the related work. The proposed risk reduction 
strategy is analysed and described in section IV. 
The paper concludes with the discussions of 
related work in section V. 

II. PRELIMINARIES 

A. The Health Insurance Probability and 
Accountability Act (USA) 

The HIPAA [4] is a United States legislation, 
which provides rules and regulations for securing 
the electronic medical records for the ultimate goal 
of preserving the patient’s privacy. The legislation 
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consists of multiple titles. However, title II of the 
act is concerned with regulations for safeguarding 
the health records’ transactions and distribution. 
Under title II, the Privacy Rule of the HIPAA 
describes national standards in order to preserve 
privacy of the patients. In effect, the rule prohibits 
healthcare professionals from releasing the 
patient’s medical data, to third parties, without an 
explicitly written permission from the 
corresponding patient. Furthermore, access to the 
patients’ medical records without a legitimate 
reason should not be allowed since it violates the 
privacy of the patient. However, in situations where 
the access of the patient’s stored medical data is 
deemed necessary in order to further advance the 
current medical treatment, the HIPAA allows the 
medical professionals access to such records. 
Finally, the legislation describes penalties and 
fines upon violating the privacy rules stated 
therein. 

B. Risk Assessment in information Security 

In their detailed risk assessment guide, the 
National Institute for Standards and Technology 
(NIST) [26] describe the method by which risk 
assessment is conducted. According to the 
definitions stated in the guide, should an entity be 
vulnerable to a certain threatening event, the risk 
is defined as a function of the likelihood of the 
threat and its potential impact. That is: 

Risk = Likelihood * Impact (1) 

III. RELATED WORK 

A. Risk-aware Access Control Models 

Risk Aware Access Control schemes (RAAC) [30] 
are considered as a dynamic and adaptable new 
type of access control models due to their inherent 
features of incorporating methods of risk 
assessment. In such models, the access is 
permitted or denied based on the outcome of a risk 
assessment function. When an access request is 
considered as risky but within acceptable intervals, 
risk reduction methods can be exploited such that 
the risk incurred of such access is minimized. 

The National Institute of Standards and 
Technology has developed a general risk-based 
access control model according to the models 
proposed by [31]. Several elements are 
incorporated to assess the risk; namely; 
operational need, situational factor and risk 
measures. A conceptual model for risk-aware 


attribute based access control [24] has been 
proposed based on these earlier works. Generally, 
risk-aware access control models proposed in the 
literature utilize the NIST definition [26] of risk 
assessment and calculation where a risk is 
evaluated as the function of a threat likelihood 
multiplied by the associated impact [32-38]. The 
subject requesting access to particular object are 
both associated with security clearances or weights 
of which are then incorporated with the calculation 
of risk. Access control models that use trust 
evaluations can be generally divided into two 
categories: static trust evaluations [34] and 
dynamic trust evaluations [36, 39]. Nonetheless, 
once a risky access request is allowed, risk should 
be lowered down to acceptable level using risk 
reduction techniques; an option that is employed 
by a subset of models. 

B. Risk Reduction Techniques 

Risk reduction in access control models are 
obligations that are usually required to be 
performed in order to lower the potential impact of 
a risky access request [27, 28]. Risk can be reduced 
by several means such as utilizing anonymization 
techniques [40, 41, 44] for protection against 
potential vulnerabilities, increasing security 
measures of the system by increasing the length of 
encryption keys or imposing a set of rules and 
required actions. Such obligations, of which all are 
supervised by the system, need to be satisfied by 
the user before or after access is granted [29]. 
Figure 2 illustrates risk reduction approaches that 
can be employed. 



Risk Reduction 
Strategies 



1 1 

Anonymization 

Security Measures 

Use Obligations 

Figure 2. Risk reduction strategies for minimize the 


riskiness of an access request 

IV. THE PROPOSED RISK REDUCTION 
STRATEGY 

A. The proposed risk reduction strategy 
1) System Components 
1.1) Trust calculation 

In order to assess the risk incurred of an access 
request, trust level of the requesting entity must be 
calculated and later it is evaluated in the other 
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components. Trust is generally defined as 
forecasting an entity’s future access, based on its 
historical behaviour [23]. Trust can be evaluated in 
several ways, such as mining past behaviour, using 
recommender systems to associate a subject with a 
recommended trust level or, more statically, assign 
security clearances for each entity by the system 
administrator [42]. 

Since, trust calculation is application specific 
and the system administrator can choose the 
appropriate trust model based on the requirement 
of the system, the proposed system in this work 
assumes that trust values have already been 
computed and ready for evaluation by the risk 
reduction system. Nevertheless, one of the widely 
known trust calculation and evaluation methods 
that analyze the user’s past behaviour in order to 
assist in making decisions regarding future access 
requests is the Subjective Logic model [42]. In the 
model, the trust level of a user is computed using 
probabilistic methods that utilize Bayesian 
principles. An entity, u, requesting access to 
system resource, i, is given a trust or opinion 
representation that has been formed by entity w. 
that is, the opinion formed by w about access 
requestor u with regards to i is represented by the 
following tuple: 


W / 1 W 1 W W W \ 

Wu-.i = U u-.rUu-.P Clu-E 


Where 


y W T W W 

/} // + /i 
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In the above formula, /?■>£/■>£/•» represent 

the degree of belief, disbelief and uncertainty of 
entity w with regards to trusting system resource i 

W 

to u. Furthermore, represents the a priori or 


base knowledge of entity w regarding u when no 
previous history is currently available; a typical 
situation when new users come into the system. 


In order to allow for dynamicity, the trust levels 
need to be updated according to the perceived 
behavioural evidence. To update the trust values, 

W W 

two parameters are introduced: r and c . The 

former parameter calculates the number of positive 
actions, while the later calculates the negative 
ones. Based on these parameters, the ultimate 
trust level of an entity requesting access can be 
updated using the following equations: 


b> 
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(3) 


Based on the above equations, the initial 
situation where there exists no behavioural history 
for the user, the values are: 


U w = 0,d w . = 0, 1 /. = l and a = 0.5 

l/u:i u:i ul'W.i t/f -u:i 


1.2) Disease Relevance Matrix 

The purpose of the disease relevance matrix 
(DRM) is to provide relevance information for the 
different diseases. That is, for the set of n diseases, 
Di, D 2 , D 3 ,..., D n , two diseases are relevant to one 
another if they have a positive relevance value. As 
illustrated in Figure 3, diseases Di and D 3 are 
correlated and relevant to each other because they 
have a positive relevance value. Relevance between 
the different diseases car (2) Dtained using several 
approaches. One effective roach, as proposed in 
[43], is to mine for correlation information inside 
the database of the hospital. In their approach, the 
system maintains a log for all access requests that 
have been made on the patients’ medical records 
for serving medical purposes, such as disease 
diagnosis purposes and so forth. Therefore, the 
access request information between the different 
patient records and the medical purposes to which 
they have been requested for access are available 
and used as observation instances. The relevance 

function, f ( r,p,t ), calculates the total number 

«/ n 

of access requests that have been made by a 
healthcare professional r to the patients’ health 
records of type t in order to serve a medical 

purpose p . Similarly, the function f ( r,p,t ) 

«/ n 

yields the total number of access requests made by 
all healthcare professionals classified under the 
same group, G r ; and who have made access 
requests to medical records of type t in order to 
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serve purpose p. maintaining such information is 
crucial in order to assist in calculating and 
inferring correlation information between the 
different diseases. That is, if a medical record, of 
which is classified under type t, is being frequently 
accessed to serve some purpose p, and then it can 
be inferred that there exists a degree of correlation 
and relevance between the two and vice versa. 
Such relevance information is realized by means of 
utilizing Bayesian principal of independence as 
follows: 

P(r,p,t ) 

Where P(1|A) denotes that the access request is 
relevant 

While P( 01 X] denotes that the access request is not 
relevant. 


The parameter F\ i) yields the percentage of 
access requests that have been made in the past. 
The estimation of P (r | i) can be found by 
calculating the total number of access requests 
made by entity r. However, to solve the issue when 
the entity requesting access is new in the system, 
smoothing methods can be applied by 
incorporating the total number of access requests 
made by the entire entities belonging to the same 
group. Therefore, 

ccf (r,/) + (l-a)f {(J r ,0 
P(r/ij = -----"- 

/„<*'> (5) 

Where ae [0,1] 


Similarly, the estimation of P(p/r,i) and P(t/p,r,i) is 


P( p / r,i ) = 


P f n (/?, >-, 0 + (1 - yff) / n (.P,Gr’Q 

/?/„( r »0+(i-/0/(G r .o 


( 6 ) 


And 


P(t! p,r,i) 


yf (t,p,r,i) + (l — y) f (; t,p,Q,i) 
r f n (px,i)+( l ~r)f n (p,GJ) 


serve medical purpose p, and f n (t, p, r, ijcomputes 
the total number of access requests for patients’ 
records of type t of which have been made by entity 
r in order to serve purpose p. 

In effect, the proposed analytical approach can 
decide whether an access request, made on a 
certain patient record, is relevant to the healthcare 
provider’s own profession, as in Equation (6). 
Moreover, the approach can decide whether an 
access request made on the patient’s record is 
relevant to the medical purpose associated, such 
as the purpose of diagnosing some disease as in 
Equation (7), which, effectively, can establish the 
relevance between the different types of diseases. 
Such correlation information can be stored in the 
Disease Relevance Matrix and updated frequently. 
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Figure 3. Disease Relevance Matrix: two data objects are 
correlated if they have a positive intersecting value 

1.3) Patient Privacy Preferences 

The privacy preferences for disease disclosure 
are obtained by the corresponding patient when 
they fill out their medical forms and, afterwards, 
entered into the system by healthcare staff. 
Therefore, each previously diagnosed, and stored, 
disease is associated with a privacy preference 
consulting how sensitive this data is with regards 
to the patient. In effect, for two disease objects oi 
and oj, having the corresponding sensitivity 
weights wi and wj, scaled between [0, 1], if wi > wj 
then disease object oi is considered as more 
sensitive than disease oj, and vice versa. 

1.4) The Risk Measure Formula 

The risk measure formula is a mathematical 
equation, which will be developed in the future, of 
which assesses the riskiness of an access request 
to the patient’s relevant data according to the trust 
level, t, of the doctor, and the privacy 
preferences,{zui,zu 2 ,...,mh} e W, of the patient. 


(7) 


Where f n (p, r, i) computes the total number of 
access requests that have been made by entity r to 


B. The Risk Reduction Strategy 
In the proposed risk reduction strategy, every 
access request by healthcare professionals, to the 
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patients’ private data, need to be evaluated for 
potential risks. As illustrated in Figure 4, a doctor 
is treating a particular patient for a health issue. To 
avoid potential repeated tests and medical 
procedures as well as help assist in making better 
diagnostic decisions, the doctor issues an access 
request to the patient’s stored health records. Upon 
receiving the access request, and to be consistent 
with HIPAA privacy rule, the risk reduction 
strategy operates by retrieving the patient’s set of 
diseases that have a positive relevance to the 
current diagnostic effort alongside the 
corresponding sensitivity weights. Once such data 
is obtained, the Data Combination Risk Calculator, 
which applies the Risk Measure Formula, searches 
for the appropriate patient data combinations, 
those are, later, evaluated against the trust level of 
the doctor for potential data disclosure. Evidently, 
for two patients, who are being treated by the same 
doctor, and who also have the same set of already 
diagnosed and stored diseases, but with different 
privacy preferences, the output of the proposed 
risk reduction strategy will be different and tailored 
to each situation such that quality healthcare 
service is delivered without undermining the 
privacy preferences of each patient. 



Patient 
Exposed Data 


Figure 4. System Components of high-level architecture 
for proposed risk mitigation strategy 

Figure 5 illustrates, in more detail, the activities 
and actions performed by the proposed Risk 
Reduction Strategy. When the system finds a set of 
relevant diseases from the patient’s data to which a 
doctor requests access, the system computes the 
possible data combinations in a reverse manner. 
That is, the system begins by generating and 


computing the Risk Measure values for the 
combination that includes the total number of 
diseases, n. If the resulting Risk Measure value 
exceeds the trust level of the doctor, the system 
reiterates and generates data combinations of 
fewer numbers of diseases, by excluding one 
disease at a time and computing the Risk Measure 
value incurred, and so forth. The goal is to find the 
maximum possible number of diseases with 
maximum Risk Measure value. If such data 
combination is found and the risk incurred is 
below the trust level of the doctor, the data is then 
exposed and disclosed to the doctor. However, if 
the system fails to find a suitable relevant data 
combination for the doctor’s trust level, then the 
data is regarded as highly private and an explicit 
consent must be obtained from the patient. 



t 


Figure 5. Main actions performed by the proposed risk reduction 
strategy, where n denotes the total number of the patient’s 
relevant diseases obtained by the DRM. 
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V. CONCLUSION 

In the field of healthcare, preserving privacy of 
the EHR of the patients has been a most important 
issue. Numerous approaches have been suggested 
and implemented to undertake the issue of 
preserving privacy by means of risk assessment 
and estimation. In addition, risky access request 
can be allowed by performing a suitable reduction 
technique. 

In electronic health record, there is a 
significant need to design privacy-preserving 
systems, following usable and well-organized data 
search strategies. In the midst of others, reliability 
and privacy are the two important requirements 
that may impact the likability of medical records in 
different HSPs. The reason is, Health Service 
Program (HSP) may not satisfy the patient safety 
needs and collecting data from such HSP, while 
aggregating data from all HSPs to create patient 
medical history will impact its reliability. In 
e-health, trust can be established based on the 
quality and reliability of HSP, health professionals 
and data standard. Researchers have been 
pursuing the goal of achieving semantic 
interoperability of EHRs to allow sharing of medical 
data across healthcare organizations, but it has 
not been realized yet. There is a need for 
improvement of standardization frameworks that 
hold data integrity and incorporate integrated EHR 
schema and common semantics, to allow data 
sharing across health information exchanges. 
Digital devices from mobile phones to smart cards 
and RFID tags are becoming more and more 
everywhere. 

Rapid advancements in mobile technologies 
and applications resulted in new opportunities for 
the incorporation of mobile health into existing 
e-health services. This emphasizes on the need of 
designing insubstantial privacy-preserving 
e-health protocols which is suitable for 
resource-constrained devices. There are a number 
of open research issues in the field of privacy 
enabled e-health systems supporting varied 
environment including: (i) supporting 

heterogeneous environment, (ii) supporting 
different stakeholders by allowing different types of 
access and usage control, (iii) support for crisis 
conditions, (iv) trust and reputation modeling, (v) 
interoperability, (vi) data integrity, (vii) traceability 
of illegitimate distribution, and malicious users. 

In this regard, the paper introduced a risk 
reduction strategy, which controls the access to 
the patient’s susceptible data. These data is based 


on the dependability of the requesting healthcare 
contributor, which is according to the privacy 
preferences and represented as sensitivity weights, 
of the patient. 
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